Chip to Cloud, day 2: Automated analysis of Java Card applets

This is a presentation by Jean-Baptiste Machemie, from the University of Limoges and a new project called Arya Security. The topic is automated analysis of Java Card applets, which is one of my favorite topics, and I am very happy to see interest from academia, as well as the emergence of companies who distribute such tools.

The first question is to understand why automated analysis is required for NFC. One of the issues of NFC is the scalability of security evalution processes. There are good schemes forf so-called sensitive applets, which are relate to payment, identity, or other schemes that have strong certification requirements, usually requiring a full evaluation, incouding attacks.

The other applications, so called non-sensitive, are provided by security companies who do not require security certification. Some analysis is required, at least to make sure that they don’t interfere with the sensitive applications. Today, this analysis is performed manually by laboratories, which is error-prone, effort intensive, and not scalable.

Static analysis is a technology that allows us to completely automate this security analysis. This is done directly on the binary CAP file, without running the application, but simply by analyzing how the code could behave. It is possible to verify plenty of rules, including those defined by AFSCM or by GlobalPlatform. Luckily for Arya Security, these rules have been defined by people who were actually thinking about static analysis, and who made sure that the rules would be easy enough to analyze.

I strongly believe in static analysis, and I have written and talked about it multiple times. I am quite happy that some people get in this market and propose a tool for Java Card. I haven’t directly tried their tool, but I hope that its algorithms are good enough to avoid lost of false positives, and that they will be adopted.

The main barrier for them is actually NFC adoption. However, if it works, I am quite convinced that static analysis is the only way to go, because any non-automated techniques are not going to be scalable enough. Another company whose fate is linked to the success of NFC (in card emulation mode).